Mozilla’s Vision for Web Evolution

 

Mozilla is pushing safety, privacy, and openness in their vision of the evolution of the web. The paper provides Mozilla’s view of what needs to happen and how it can occur, tackling issues such as users being spied on and burdened by complex and slow processes. They also note that much of the web is inaccessible or out of reach for many non-native English speakers and disabled individuals. An executive summary of their vision document can be found here.

Mozilla envisions a future where the web has no gatekeepers and a change in the way users are monetised through advertising strategies. They want everyone to be able to access the internet so they can reach out to others, empower those individuals to accomplish their goals, and ensure everyone can use the web without endangering themselves or others.

They have identified a number of actions that can be taken today to ensure these values can be upheld including the protection of user privacy by removing the current surveillance mechanisms such as cross-site tracking and the protection from malicious code by ensuring web browser developers are routinely patching and preventing future security vulnerabilities.

In addition, they suggest that encryption should occur in legacy protocols such as DNS and newer protocols rather than at the HTTP-level for each webpage. They state the infrastructure of the web and the browsers used to surf it need to be much faster and people should be able to publish information and data easier to enable more sharing. They also add that non-native English speakers and disabled people require a more accessible web and deserve a first-class experience that others have.

Ransomware is Pressuring Public Services

 

The FBI and CISA has indicated that ransomware attacks are becoming a safety risk to public services as they are attractive targets to cybercriminals due to their critical nature. Public services such as utility companies, emergency services, safety operations, healthcare and the education sector are being increasingly targeted and sensitive personal data is being stolen which is putting local residents at risk of fraud.

Local governments will see no decline in these attacks as the deployment of malware continues to evolve. The FBI explained a ransomware attack in January of this year forced a US county to take down their computer systems and enact an emergency response through their backup procedures. The county jail was targeted which meant surveillance cameras were deactivated along with the jail’s data collection capabilities, automated doors, and internet access. This obviously caused alarm amongst employees and resulted in significant safety concerns for the facility.

There are plenty of other examples too, including an attack in September 2021 that closed a county courthouse and the attackers subsequently leaked personal details of employees and residents online after the ransom wasn’t paid. And in May 2021, several local governments were infected with a ‘PayOrGrief’ ransomware attack that led to servers and online services becoming inaccessible.

According to the report, only academia and higher education facilities were attacked more frequently than local government services in 2021. The FBI has restated several times that victims should not pay any ransom demands because it may encourage further attacks. However, some targets decide to pay so they are able to quickly restore their services.

After paying the ransom though, restoring a network can be a complicated and long task to complete, and there is no certainty that the decryption key provided by the hackers will work or that they won’t return later. The FBI encourages all victims to report any ransomware incident to help prevent future attacks.

They have also recommended numerous cybersecurity measures [PDF] that businesses can enact to help prevent becoming a victim, including keeping software and operating systems up to date with the latest security patches, and requiring strong passwords for online accounts. This makes it harder for criminals to exploit network and system vulnerabilities and guess user passwords.

In addition, organisations should keep offline backups of their data that are regularly tested and updated so networks can be restored without decryption keys. Employees should require the use of multi-factor authentication for their webmail, accounts, and VPNs to add an additional layer of protection against such attacks.

Linux Networking Bug

 

A graduate student at the University of California has found a vulnerability (CVE-2022-27666) in IPSec’s esp6 crypto module which can be potentially abused for local privilege escalation. The problem lies with heap overflow – a receiving buffer of a user message in esp6 is 8 pages, but you can send a message larger than that causing a buffer overflow.

Red Hat states this can allow an attacker to overwrite kernel heap objects and escalate their local privileges. Both NIST and Red Hat have given this vulnerability a CVSS score of 7.8 – which is very high. If IPSec is already in use on a Linux system (more than likely) and has IPSec Security Associations configured (which is essential to the network security protocol), there are no additional privileges needed to exploit this bug, meaning many people are open to this attack including users of the popular Linux distros such as Ubuntu, Debian, and Fedora.

The student was able to get around the Kernel Address-space Layout Randomisation (KASLR) which typically makes it much harder to exploit memory because processes are placed at random instead of at fixed memory addresses. After hanging this process, an attacker could use Filesystem in User Space (FUSE) to create their own filesystem and map memory to it. All read/write functions will then be handled by the attacker’s filesystem which makes it trivial to then gain root access to a system.

Please see the updates for your Linux distro in order to patch this vulnerability!